Slashdot Mirror

← Back to Stories (view on slashdot.org)

Heartbleed To Blame For Community Health Systems Breach

Posted by Soulskill on from the bet-you-wish-you'd-patched dept.

An anonymous reader writes: The Heartbleed vulnerability is the cause of the data breach at Community Health Systems, which resulted in 4.5 million records (containing patient data) being compromised. According to a blog post from TrustedSec, the attackers targeted a vulnerable Juniper router and obtained credentials, which allowed them access to the network's VPN.

3 of 89 comments (clear)

  1. Re:It's not like they've had 5 months to fix it... by fuzzyfuzzyfungus · · Score: 5, Funny

    The ticket was accidentally routed to cardiology. The attending physician checked it out and the router's heartbeat was absolutely normal and there was no evidence of bleeding in the chassis.

  2. Re:It's not like they've had 5 months to fix it... by plover · · Score: 5, Insightful

    They said they think they were breached sometime between April and June. Heartbleed was announced in April. The window was zero to two months, not five.

    And it's not that data security is a low priority, it's just that it may not be as high a priority as network availability. This is health care, where problems in communication might affect patient outcomes. "Hey, sysadmin, Doctor Green couldn't respond to his page last night, and the patient died as a result." These are the kinds of arguments that are thrown at the IT departments at every health care provider. Whether or not we consider them rational or valid is irrelevant.

    So in that backdrop, we might try to understand that they probably don't just slam in every patch that the vendor has to offer, at least not without a giant process circus. I would guess that they have a patch intake process, where they have to run the patch by some engineering team that evaluates the nature of the patch, and devises some kind of testing plan to execute in their lab environment. They then have to pass it to the testing team who will set up and execute the patch process in the lab, document all their findings, and then turn the patch over to the production network team. They'll put it on their list, and they'll have their own manager who says "whoa, why are you security guys rushing to slam this patch in to my border router? Let's slow down and think about this one."

    I could easily see it taking a month in a big, regulated corporate environment.

    --
    John
  3. Re:It's not like they've had 5 months to fix it... by rhazz · · Score: 5, Funny

    Dammit Jim! I'm a doctor, not a server administrator!